Radiant Capital reveals North Korea behind $50 million hack

Radiant Capital has disclosed that a $50 million hack on its decentralized finance (DeFi) platform in October was executed by a North Korean threat actor posing as a former contractor.

In a December 6 update regarding the ongoing investigation, Radiant reported that its cybersecurity partner, Mandiant, has determined “with high confidence” that the attack was linked to a Democratic People’s Republic of Korea (DPRK)-aligned hacker.

The incident began when a developer at Radiant received a Telegram message containing a zip file from someone claiming to be a trusted ex-contractor on September 11.

The message requested feedback on a new project, and upon review, it is suspected that this communication originated from the DPRK-aligned threat actor impersonating the contractor.

When shared among developers for feedback, the zip file delivered malware that enabled the subsequent breach.

On October 16, Radiant Capital was compelled to suspend its lending markets after hackers gained control of several signers’ private keys and smart contracts.

North Korean hacking groups have historically targeted cryptocurrency platforms, reportedly stealing around $3 billion in crypto between 2017 and 2023.

Radiant noted that the file did not raise suspicions because “requests to review PDFs are routine in professional settings,” and sharing documents in this format is common practice among developers.

The domain associated with the zip file also mimicked the legitimate website of the contractor.

Multiple devices belonging to Radiant developers were compromised during this attack, allowing malicious transactions to be signed while front-end interfaces displayed benign data.

“Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages,” Radiant stated.

The company believes the responsible threat actor is known as “UNC4736,” also referred to as “Citrine Sleet,” which is thought to be connected to North Korea’s main intelligence agency, the Reconnaissance General Bureau (RGB).

Following the incident, approximately $52 million of the stolen funds was moved on October 24.

Radiant emphasized that even rigorous security practices can be bypassed by advanced threat actors and called for stronger hardware-level solutions for validating transaction payloads. 

This incident follows another exploit earlier in the year, where Radiant halted lending markets due to a $4.5 million flash loan attack.

As of December 9, Radiant's total value locked has decreased significantly from over $300 million at the end of last year to around $5.81 million.